PERFORCE change 105361 for review

Todd Miller millert at FreeBSD.org
Wed Aug 30 21:00:35 UTC 2006


http://perforce.freebsd.org/chv.cgi?CH=105361

Change 105361 by millert at millert_g4tower on 2006/08/30 21:00:07

	Split the MAC Framework kernel interface (the mac_foo
	routines) out into a separate header file, mac_framework.h.
	This mirrors a similar change in the TrustedBSD mac2 branch.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/bsd_init.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_acct.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_credential.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_fork.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_time.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_xxx.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_socket.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_sem.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_shm.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf2.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfsdefs.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bpf.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bsd_comp.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ppp_deflate.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_mroute.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_output.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_mroute.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_output.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_syscalls.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_vfsops.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/kpi_vfs.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_attrlist.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_init.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_lookup.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_subr.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vm/dp_backing_file.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac.h#6 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#1 add

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#2 (text+ko) ====

@@ -32,7 +32,7 @@
 
 #ifdef MAC
 #include <sys/queue.h>
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #ifdef KERNEL

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/bsd_init.c#3 (text+ko) ====

@@ -124,7 +124,7 @@
 #include <net/init.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 extern int app_profile;		/* on/off switch for pre-heat cache */

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_acct.c#2 (text+ko) ====

@@ -89,7 +89,7 @@
 #include <sys/sysproto.h>
 #include <machine/spl.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#2 (text+ko) ====

@@ -69,6 +69,7 @@
 
 #ifdef MAC
 #include <security/mac.h>
+#include <security/mac_framework.h>
 #include <security/mac_policy.h>
 #endif
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#2 (text+ko) ====

@@ -50,7 +50,7 @@
 #include <kern/kalloc.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /* The number of BSM records allocated. */

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_credential.c#2 (text+ko) ====

@@ -61,7 +61,7 @@
 #include <kern/assert.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #define CRED_DIAGNOSTIC 1

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#2 (text+ko) ====

@@ -110,7 +110,7 @@
 #include <mach/vm_param.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <vm/vm_map.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#2 (text+ko) ====

@@ -112,7 +112,7 @@
 #endif
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #include <sys/syscall.h>
 #endif
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_fork.c#2 (text+ko) ====

@@ -101,7 +101,7 @@
 #include <machine/spl.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <vm/vm_protos.h>       // for vm_map_commpage64

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#2 (text+ko) ====

@@ -90,7 +90,7 @@
 #include <sys/kernel_types.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#3 (text+ko) ====

@@ -94,7 +94,7 @@
 #endif
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <sys/mount_internal.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_time.c#2 (text+ko) ====

@@ -76,7 +76,7 @@
 #include <kern/clock.h>
 #include <kern/thread_call.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #define HZ	100	/* XXX */

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_xxx.c#3 (text+ko) ====

@@ -78,7 +78,7 @@
 #include <sys/mount_internal.h>
 #include <sys/sysproto.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 int

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_socket.c#2 (text+ko) ====

@@ -79,7 +79,7 @@
 #include <net/route.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_sem.c#3 (text+ko) ====

@@ -53,7 +53,7 @@
 #include <sys/sysent.h>
 #include <sys/sysproto.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <bsm/audit_kernel.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_shm.c#3 (text+ko) ====

@@ -74,7 +74,7 @@
 #include <sys/sysent.h>
 #include <sys/sysproto.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <bsm/audit_kernel.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf.c#2 (text+ko) ====

@@ -88,7 +88,7 @@
 #include <IOKit/IOMapper.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 extern vm_offset_t kmem_mb_alloc(vm_map_t  , int );

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf2.c#2 (text+ko) ====

@@ -106,7 +106,7 @@
 #endif
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket.c#2 (text+ko) ====

@@ -94,6 +94,7 @@
 
 #ifdef MAC
 #include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 int			so_cache_hw = 0;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#3 (text+ko) ====

@@ -87,7 +87,7 @@
 #include <kern/locks.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #define f_msgcount f_fglob->fg_msgcount

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#2 (text+ko) ====

@@ -97,7 +97,7 @@
 #include "devfsdefs.h"
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 static void	devfs_release_busy(devnode_t *);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfsdefs.h#2 (text+ko) ====

@@ -66,7 +66,7 @@
 
 #include  <sys/appleapiopts.h>
 
-#include <security/mac.h>
+#include <security/mac_framework.h>
 
 #ifdef __APPLE_API_PRIVATE
 #define DEVMAXNAMESIZE 	32 		/* XXX */

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bpf.c#2 (text+ko) ====

@@ -114,7 +114,7 @@
 #include <kern/locks.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 extern int tvtohz(struct timeval *);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bsd_comp.c#2 (text+ko) ====

@@ -79,7 +79,7 @@
 #include <net/ppp_comp.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #if DO_BSD_COMPRESS

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#2 (text+ko) ====

@@ -63,7 +63,7 @@
 #include <machine/machine_routines.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #define DBG_LAYER_BEG		DLILDBG_CODE(DBG_DLIL_STATIC, 0)

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ppp_deflate.c#2 (text+ko) ====

@@ -65,7 +65,7 @@
 #include <net/ppp_comp.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #if DO_DEFLATE

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#2 (text+ko) ====

@@ -96,7 +96,7 @@
 #include <netinet/igmp_var.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #ifndef __APPLE__

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#3 (text+ko) ====

@@ -98,7 +98,7 @@
 #endif
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
  /* XXX This one should go in sys/mbuf.h. It is used to avoid that

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_mroute.c#2 (text+ko) ====

@@ -63,7 +63,7 @@
 #include <netinet/udp.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #ifndef NTOHL

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#2 (text+ko) ====

@@ -87,7 +87,7 @@
 #include <netinet/kpi_ipfilter_var.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include "faith.h"

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#2 (text+ko) ====

@@ -99,7 +99,7 @@
 #endif
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #if IPSEC

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#2 (text+ko) ====

@@ -118,7 +118,7 @@
 #endif /*IPSEC*/
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <sys/kdebug.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_output.c#2 (text+ko) ====

@@ -103,7 +103,7 @@
 #endif /*IPSEC*/
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #define DBG_LAYER_BEG		NETDBG_CODE(DBG_NETTCP, 1)

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#2 (text+ko) ====

@@ -123,7 +123,7 @@
 #endif /*IPSEC*/
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <sys/md5.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_mroute.c#2 (text+ko) ====

@@ -80,7 +80,7 @@
 #include <netinet6/pim6_var.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #ifndef __APPLE__

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_output.c#3 (text+ko) ====

@@ -108,7 +108,7 @@
 #endif /* IPSEC */
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #include <netinet6/ip6_fw.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#2 (text+ko) ====

@@ -94,7 +94,7 @@
 #include <net/net_osdep.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_syscalls.c#3 (text+ko) ====

@@ -114,7 +114,7 @@
 #include <nfs/nfsrtt.h>
 #include <nfs/nfs_lock.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 extern void unix_syscall_return(int);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_vfsops.c#2 (text+ko) ====

@@ -104,7 +104,7 @@
 #include <nfs/nfsdiskless.h>
 #include <nfs/nfs_lock.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 extern int	nfs_mountroot(void);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/kpi_vfs.c#2 (text+ko) ====

@@ -108,7 +108,7 @@
 #include <mach/memory_object_types.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #define ESUCCESS 0

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_attrlist.c#2 (text+ko) ====

@@ -46,7 +46,7 @@
 #include <hfs/hfs.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #define ATTR_TIME_SIZE	-1

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_init.c#2 (text+ko) ====

@@ -79,7 +79,7 @@
 #include <sys/malloc.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #include <sys/kauth.h>
 #endif
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_lookup.c#2 (text+ko) ====

@@ -86,7 +86,7 @@
 #include <bsm/audit_kernel.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 #if KTRACE

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_subr.c#2 (text+ko) ====

@@ -112,7 +112,7 @@
 #include <mach/memory_object_types.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 extern lck_grp_t *vnode_lck_grp;

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#5 (text+ko) ====

@@ -107,6 +107,7 @@
 
 #ifdef MAC
 #include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#3 (text+ko) ====

@@ -95,7 +95,7 @@
 #include <miscfs/specfs/specdev.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#2 (text+ko) ====

@@ -47,7 +47,7 @@
 #include <vm/vm_kern.h>
 
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vm/dp_backing_file.c#3 (text+ko) ====

@@ -64,7 +64,7 @@
 #include <vm/vnode_pager.h>
 #include <vm/vm_protos.h>
 #ifdef MAC
-#include <security/mac.h>
+#include <security/mac_framework.h>
 #endif
 
 extern thread_t current_act(void);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/Makefile#2 (text+ko) ====

@@ -23,6 +23,7 @@
 	mac.h \
 	mac_alloc.h \
 	mac_data.h \
+	mac_framework.h \
 	mac_policy.h \
 	mac_mach_internal.h \
 	mac_internal.h

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac.h#6 (text+ko) ====

@@ -1,7 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
- * Copyright (c) 2005 SPARTA, Inc.
+ * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -11,6 +11,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -35,7 +38,7 @@
  * $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $
  */
 /*
- * Userland/kernel interface for Mandatory Access Control.
+ * Userland interface for Mandatory Access Control.
  *
  * The POSIX.1e implementation page may be reached at:
  * http://www.trustedbsd.org/
@@ -65,7 +68,6 @@
 typedef struct mac	*mac_t;
 
 #ifndef KERNEL
-
 /*
  * Location of the userland MAC framework configuration file.  mac.conf
  * binds policy names to shared libraries that understand those policies,
@@ -104,433 +106,6 @@
 int	 mac_syscall(const char *_policyname, int _call, void *_arg);
 int	 mac_to_text(mac_t mac, char **_text);
 __END_DECLS
-
-#else /* _KERNEL */
-
-#ifdef MAC
-
-/*
- * Kernel functions to manage and evaluate labels.
- */
-struct auditinfo;
-struct attrlist;
-struct bpf_d;
-struct componentname;
-struct devnode;
-struct fileproc;
-struct ifnet;
-struct lctx;
-struct mount;
-struct pseminfo;
-struct pshminfo;
-struct proc;
-struct semid_kernel;
-struct shmid_kernel;
-struct uthread;
-struct timespec;
-struct ucred;
-struct uio;
-struct vnode_attr;
-struct vnode;
-struct socket;
-struct sockaddr;
-struct mbuf;
-struct m_tag;
-struct vop_setlabel_args;
-struct pipe;
-
-/*
- * Framework initialization.
- */
-void mac_init_bsd(void);
-
-/*
- * Label operations.
- */
-void	mac_init_cred(struct ucred *);
-void	mac_init_devfsdirent(struct devnode *);
-int	mac_init_mbuf(struct mbuf *, int);
-int	mac_init_mbuf_tag(struct m_tag *, int);
-void	mac_init_mount(struct mount *);
-void	mac_init_pipe(struct pipe *cpipe);
-void	mac_init_posix_sem(struct pseminfo *);
-void	mac_init_posix_shm(struct pshminfo *);
-void	mac_init_proc(struct proc *);
-int	mac_init_socket(struct socket *, int waitok);
-void	mac_init_sysv_msgmsg(struct msg *);
-void 	mac_init_sysv_msgqueue(struct label *);
-void	mac_init_sysv_sem(struct semid_kernel*);
-void	mac_init_sysv_shm(struct shmid_kernel*);
-void	mac_init_vnode(struct vnode *vp);
-void	mac_copy_vnode_label(struct label *, struct label *label);
-void	mac_copy_devfs_label(struct label *, struct label *label);
-void	mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
-void	mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to);
-void	mac_copy_socket_label(struct label *from, struct label *to);
-void	mac_destroy_cred(struct ucred *);
-void	mac_destroy_devfsdirent(struct devnode *);
-void	mac_destroy_mbuf(struct mbuf *);
-void	mac_destroy_mbuf_tag(struct m_tag *);
-void	mac_destroy_mount(struct mount *);
-void	mac_destroy_pipe(struct pipe *cpipe);
-void	mac_destroy_posix_sem(struct pseminfo *);
-void	mac_destroy_posix_shm(struct pshminfo *);
-void	mac_destroy_proc(struct proc *);
-void	mac_destroy_socket(struct socket *);
-void	mac_destroy_sysv_sem(struct semid_kernel *);
-void	mac_destroy_sysv_shm(struct shmid_kernel *);
-void	mac_destroy_vnode(struct vnode *);
-int	mac_internalize_mount_label(struct label *, char *string);
-int	mac_externalize_mount_label(struct label *label, char *elements,
-    char *outbuf, size_t outbuflen);
-
-struct label	*mac_cred_label_alloc(void);
-void		 mac_cred_label_free(struct label *label);
-int		 mac_get_cred_audit_labels(struct proc *p, struct mac *mac);
-struct label	*mac_vnode_label_alloc(void);
-void		 mac_vnode_label_free(struct label *label);
-int		 mac_get_vnode_audit_labels(struct vnode *vp, 
-			struct mac *mac);
-struct label	*mac_lctx_label_alloc(void);
-void		 mac_lctx_label_free(struct label *label);
-
-#define mac_update_task_from_cred(cred, task)				\
-	mac_update_task_label(((cred)->cr_label), task)
-
-/*
- * Labeling event operations: file system objects, and things that
- * look a lot like file system objects.
- */
-void	mac_associate_vnode_devfs(struct mount *mp, struct devnode *de,
-	    struct vnode *vp);
-int	mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
-void	mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
-void	mac_create_devfs_device(struct ucred *cr, struct mount *mp, dev_t dev,
-	    struct devnode *de, const char *fullpath);
-void	mac_create_devfs_directory(struct mount *mp, char *dirname,
-	    int dirnamelen, struct devnode *de, const char *fullpath);
-void	mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
-	    struct devnode *dd, struct devnode *de,
-	    const char *fullpath);
-int	mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
-	    struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
-void	mac_create_mount(struct ucred *cred, struct mount *mp);
-void	mac_relabel_vnode(struct ucred *cred, struct vnode *vp,
-	    struct label *newlabel);
-void	mac_update_vnode_extattr(struct mount *mp, struct vnode *vp,
-	    const char *name);
-void	mac_update_devfsdirent(struct mount *mp, struct devnode *de,
-	    struct vnode *vp);
-
-#define	VNODE_LABEL_CREATE	1
-#define	VNODE_LABEL_NEEDREF	2
-int	vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp,
-            struct componentname *cnp, int flags, vfs_context_t ctx);
-
-/*
- * Labeling event operations: Posix IPC primitives
- */
-void	mac_create_posix_sem(struct ucred *cred, struct pseminfo *psem,
-	    const char *name);
-void	mac_create_posix_shm(struct ucred *cred, struct pshminfo *pshm,
-	    const char *name);
-
-/*
- * Labeling event operations: sockets and network IPC
- *
- * Note: all functions involving sockets (and other network objects yet to be
- * implemented) hold (and rely on) the NETWORK_FUNNEL as opposed to the
- * KERNEL_FUNNEL.  When reading/writing kernel network objects, be sure to
- * hold the NETWORK_FUNNEL.  When reading/writing other types of kernel
- * objects (vnode for example), be sure to hold the KERNEL_FUNNEL. 
- *
- * XXX: Note that cred can be NULL in mac_create_socket() in Darwin.
- */
-void	mac_create_socket(struct ucred *cred, struct socket *so);
-void	mac_create_socket_from_socket(struct socket *oldsocket,
-	    struct socket *newsocket);
-void	mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
-void	mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m);
-void	mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m);
-void	mac_set_socket_peer_from_socket(struct socket *peersocket,
-	    struct socket *socket_to_modify);
-
-/*
- * Labeling event operations: System V IPC primitives
- */
-void	mac_create_sysv_msgmsg(struct ucred *cred, 
-	    struct msqid_kernel *msqptr, struct msg *msgptr);
-void	mac_create_sysv_msgqueue(struct ucred *cred,
-	    struct msqid_kernel *msqptr);
-void	mac_create_sysv_sem(struct ucred *cred,
-	    struct semid_kernel *semakptr);
-void	mac_create_sysv_shm(struct ucred *cred,
-	    struct shmid_kernel *shmsegptr);
-
-/*
- * Labeling event operations: processes.
- */
-void	mac_relabel_cred(struct ucred *cred, struct label *newlabel);
-void	mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
-int	mac_execve_enter(user_addr_t mac_p, struct label *execlabel);
-#if 0
-void	mac_execve_exit(struct image_params *imgp); 
 #endif
-void	mac_execve_transition(struct ucred *old, struct ucred *newcred,
-	    struct vnode *vp, struct label *scriptvnodelabel,
-	    struct label *execlabel);
-int	mac_execve_will_transition(struct ucred *old, struct vnode *vp,
-	    struct label *scriptvnodelabel, struct label *execlabel,
-	    struct proc *p);
-void	mac_create_proc0(struct ucred *cred);
-void	mac_create_proc1(struct ucred *cred);
-#if 0
-void	mac_thread_userret(struct uthread *td);
-#endif
-
-void	mac_relabel_lctx(struct lctx *l, struct label *newlabel);
-
-/*
- * Labeling operations for pipes.
- */
-struct label	*mac_pipe_label_alloc(void);
-void	mac_pipe_label_free(struct label *label);
-void	mac_copy_pipe_label(struct label *src, struct label *dest);
-void	mac_create_pipe(struct ucred *cred, struct pipe *cpipe);
-int	mac_pipe_label_set(struct ucred *cred, struct pipe *cpipe,
-    struct label *label);
-
-/*
- * Label cleanup operation: This is the inverse complement for the mac_create
- * and associate type of hooks.  This hook lets the policy module(s) perform
- * a cleanup/flushing operation on the label associated with the objects,
- * without freeing up the space allocated.  This hook is useful in cases
- * where it is desirable to remove any labeling reference when recycling any
- * object to a pool.  This hook does not replace the mac_destroy hooks.
- */
-void	mac_cleanup_sysv_msgmsg(struct msg *msgptr);
-void 	mac_cleanup_sysv_msgqueue(struct label *msqlabel);
-void	mac_cleanup_sysv_sem(struct semid_kernel *semakptr);
-void	mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr);
-void	mac_cleanup_vnode(struct vnode *vp);
-
-/*
- * Access control checks.
- */
-int	mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
-int	mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
-int	mac_check_lctx_relabel(struct lctx *l, struct label *newlabel);
-int	mac_check_posix_sem_create(struct ucred *cred, const char *name);
-int	mac_check_posix_sem_open(struct ucred *cred, struct pseminfo *ps);
-int	mac_check_posix_sem_post(struct ucred *cred, struct pseminfo *ps);
-int	mac_check_posix_sem_unlink(struct ucred *cred, struct pseminfo *ps,
-	    const char *name);
-int	mac_check_posix_sem_wait(struct ucred *cred, struct pseminfo *ps);
-int	mac_check_posix_shm_create(struct ucred *cred, const char *name);
-int	mac_check_posix_shm_open(struct ucred *cred, struct pshminfo *ps);
-int	mac_check_posix_shm_mmap(struct ucred *cred, struct pshminfo *ps,
-	    int prot, int flags);
-int	mac_check_posix_shm_stat(struct ucred *cred, struct pshminfo *ps);
-int	mac_check_posix_shm_truncate(struct ucred *cred, struct pshminfo *ps,
-	    size_t s);
-int	mac_check_posix_shm_unlink(struct ucred *cred, struct pshminfo *ps,
-	    const char *name);
-int	mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
-	    struct msqid_kernel *msqptr);
-int	mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr);
-int	mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr);
-int	mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqptr,
-	    int cmd);
-int	mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqptr);
-int	mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqptr);
-int	mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqptr);
-int	mac_check_sysv_semctl(struct ucred *cred,
-	    struct semid_kernel *semakptr, int cmd);
-int	mac_check_fcntl(struct ucred *cred, struct fileproc *fp, int cmd,
-	    int arg);
-int	mac_check_get_fd(struct ucred *cred, struct fileproc *fp,
-	    char *elements, int len);
-	    
-/* 
- * Note: mac_check_ioctl is currently not called and will probably be broken into
- * more granular checks.
- */
-int	mac_check_ioctl(struct ucred *cred, struct fileproc *fp, int com,
-	    void *data);
-int	mac_check_sysv_semget(struct ucred *cred,
-	   struct semid_kernel *semakptr);
-int	mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr,
-	    size_t accesstype);
-int	mac_check_sysv_shmat(struct ucred *cred,
-	    struct shmid_kernel *shmsegptr, int shmflg);
-int	mac_check_sysv_shmctl(struct ucred *cred,
-	    struct shmid_kernel *shmsegptr, int cmd);
-int	mac_check_sysv_shmdt(struct ucred *cred,
-	    struct shmid_kernel *shmsegptr);
-int	mac_check_sysv_shmget(struct ucred *cred,
-	    struct shmid_kernel *shmsegptr, int shmflg);
-int	mac_check_mount(struct ucred *cred, struct vnode *vp,
-	    const char *vfc_name);
-int	mac_check_remount(struct ucred *cred, struct mount *mp);
-int	mac_check_umount(struct ucred *cred, struct mount *mp);
-int	mac_check_mount_getattr(struct ucred *cred, struct mount *mp,
-	    struct vfs_attr *vfa);
-int	mac_check_mount_setattr(struct ucred *cred, struct mount *mp,
-	    struct vfs_attr *vfa);
-int	mac_check_mount_stat(struct ucred *cred, struct mount *mp);
-int	mac_check_mount_relabel(struct ucred *cred, struct mount *mp);
-int	mac_check_pipe_kqfilter(struct ucred *cred, struct knote *kn,
-	    struct pipe *cpipe);
-int	mac_check_pipe_ioctl(struct ucred *cred, struct pipe *cpipe,
-	    unsigned long cmd, void *data);
-int	mac_check_pipe_read(struct ucred *cred, struct pipe *cpipe);
-int	mac_check_pipe_select(struct ucred *cred, struct pipe *cpipe,
-	    int which);
-int	mac_check_pipe_stat(struct ucred *cred, struct pipe *cpipe);
-int	mac_check_pipe_write(struct ucred *cred, struct pipe *cpipe);
-int	mac_check_proc_debug(struct ucred *cred, struct proc *proc);
-int	mac_check_proc_getaudit(struct ucred *cred);
-int	mac_check_proc_getauid(struct ucred *cred);
-int	mac_check_proc_sched(struct ucred *cred, struct proc *proc);
-int	mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
-int	mac_check_proc_setauid(struct ucred *cred, uid_t auid);
-int	mac_check_proc_signal(struct ucred *cred, struct proc *proc,
-	    int signum);
-int	mac_check_proc_wait(struct ucred *cred, struct proc *proc);
-int     mac_check_proc_setlcid(struct proc *, struct proc *, pid_t, pid_t);
-int     mac_check_proc_getlcid(struct proc *, struct proc *, pid_t);
-int	mac_check_set_fd(struct ucred *cred, struct fileproc *fp, char *buf,
-	    int buflen);
-int     mac_check_socket_accept(struct ucred *cred, struct socket *so);
-int	mac_check_socket_bind(struct ucred *cred, struct socket *so,
-	    struct sockaddr *addr);
-int	mac_check_socket_connect(struct ucred *cred, struct socket *so,
-	    struct sockaddr *addr);
-int	mac_check_socket_create(struct ucred *cred, int domain, int type,
-	    int protocol);
-int	mac_check_socket_deliver(struct socket *so, struct mbuf *m);
-int	mac_check_socket_kqfilter(struct ucred *cred, struct knote *kn,
-	    struct socket *so);
-int	mac_check_socket_listen(struct ucred *cred, struct socket *so);
-int	mac_check_socket_receive(struct ucred *cred, struct socket *so);
-int     mac_check_socket_select(struct ucred *cred, struct socket *so,
-	    int which);
-int	mac_check_socket_send(struct ucred *cred, struct socket *so);

>>> TRUNCATED FOR MAIL (1000 lines) <<<


More information about the trustedbsd-cvs mailing list